NetWitness Community

Hello David,

Some username also can be in format USERNAME@DOMAIN. Could you improve parser and add this patern to the parser? The USERNAME put to user.dst field, the DOMAIN put to domain filed and @ is delete.

Here is the new version

local ExtractUser = nw.createParser("ExtractUser", "Splits a username of the form domain\user into domain and username parts")

--[[

    DESCRIPTION

        Splits a username of the from DOMAIN\USERNAME into DOMAIN and USERNAME parts

  Splits a username of the form DOMAIN@USERNAME into DOMAIN and USERNAME parts

  Splits a username of the form DOMAIN\USERNAME@DOMAIN into DOMAIN and USERNAME parts

        If the username does not contain a \ then we write the value unchanged

    VERSION

       2nd March - Initial Developemnt

    2.0 - Add ability parse our username@DOMAIN

    AUTHOR

        david.waugh2@rsa.com

    DEPENDENCIES

  The input key is tr_username

  In the Table Map Custom.xml file on the logdecoder make sure username is mapped to tr_username as follows:

  <mapping envisionName="username" nwName="tr_username" flags="Transient" format="Text" envisionDisplayName="UserName|UserID|User|UserName|Username" nullTokens="none|-"/>

    NOTES

                None

--]]

-- These are the meta keys that we will write meta into

ExtractUser:setKeys({

    nwlanguagekey.create("user.dst", nwtypes.Text),

  nwlanguagekey.create("domain", nwtypes.Text)})

function ExtractUser:userdst(index, myusername)

   local domain,username = string.match(myusername,"(.*)\\(.*)") -- Check for \

   local atusername,domainat = string.match(myusername,"(.*)%@(.*)") -- Check for @

   local domainslash,usernameat,atdomain = string.match(myusername,"(.*)\\(.*)%@(.*)")

--[[ For Debugging  

if domain then   nw.logInfo("domain: " .. domain) end

if username then nw.logInfo("username: " .. username) end

if domainat then nw.logInfo("domainat: " .. domainat) end

if atusername then nw.logInfo("atusername: " .. atusername) end

if domainslash then nw.logInfo("domainslash: " .. domainslash) end

if usernameat then nw.logInfo("usernameat: " .. usernameat) end

if atdomain then nw.logInfo("atdomain: " ..atdomain) end

--]] 

  if(domain == nil and domainat == nil and domainslash ==nil) then

    nw.createMeta(self.keys["user.dst"],myusername)

  else -- Username was of the form domain\user so split into component parts

  --nw.logInfo("myusername: " .. myusername)

    if( domain and not domainslash) then -- myusername contained \

  nw.createMeta(self.keys["user.dst"],username)

     nw.createMeta(self.keys["domain"],domain)

  else if(domainat and not domainslash) then-- myusername contained @

  nw.createMeta(self.keys["user.dst"],atusername)

     nw.createMeta(self.keys["domain"],domainat)

  else if(domainslash) then

  nw.createMeta(self.keys["user.dst"],usernameat)

         nw.createMeta(self.keys["domain"],domainslash)

  nw.createMeta(self.keys["domain"],atdomain)

  end

  end

  end

  end

end

ExtractUser:setCallbacks({

   [nwlanguagekey.create("tr_username", nwtypes.Text)] =ExtractUser.userdst,

})

It will work with usernames of the following form

user1@domain1

domain2@user2

domain3\\user3@domain4

No different between Logs and Packets. You should upload the parser through Parser tab of your Log Decoder.